In May 2021, a group of Russian cybercriminals launched a powerful ransomware attack on the Colonial Pipeline, resulting in gas shortages all along the East Coast.

Jon Miller and Ryan Smith decided to do something about it. 

Namely, they decided to start a cybersecurity company that would be built on their experience helping the U.S. government build cyberweapons. “If the ransomware groups can get away pulling off attacks like this, they’re just going to get bigger and bolder, and there’s going to be more of them,” Miller remembered thinking at the time. “We wanted to build something that would essentially make ransomware unsuccessful for the attackers.” 

Jon and Ryan were uniquely positioned to build such a product. Close friends and business partners for 20 years, they’d spent a chunk of their careers on the offensive side of cybersecurity for the federal government. That experience lent them an uncommon understanding of the particular techniques used by ransomware perpetrators. Using their knowledge of those techniques – known as tactics, techniques and procedures (TTPs) – they were able to reverse-engineer an impervious defensive system. 

They’re offering shields at a time when a deluge of ransomware arrows are raining down on companies and their infrastructure like never before. According to a recent report from Apple, there were nearly 70% more reported attacks in the first nine months of 2023 than in the same period in 2022. Cryptocurrency tracing firm Chainalysis estimated that victims were forced to pay ransomware groups $449 million in the first six months of 2023 alone. If the current pace continues, that number could reach $898 million for the full year. 

As you can imagine, many companies and other entities are interested in protection against being extorted for their own data. Since its founding just two years ago, the San Diego- and Austin-based company has grown to a team of 75 and has been partnering with hundreds of customers, including some of the world’s largest corporations, government agencies and municipalities, to keep their data out of cybercriminals’ reach.

BCV is excited to be part of Halcyon’s effort to keep ransomware attacks at bay. We’re leading Halcyon’s $40 million Series B, and were helped by Shafic Mackie, an extern from Bain Capital’s North America Private Equity unit. As part of the deal, BCV operating partner Jeff Williams, who has a long career in both cybersecurity and helping startups scale, has become Halcyon’s chief revenue officer.

Meet the Founders: A decades-long cybersecurity partnership

Jon and Ryan originally met in 2007 at Accuvant LABS, where Ryan was chief scientist and Jon was building and leading what was the largest technical consultancy at the time, working with over 95% of the Fortune 500 as an offensive security expert. The two quickly became close friends and started working on various projects together. They had a stint at Cylance (later acquired by Blackberry), and then teamed up to co-found Boldend, a next-gen defense contractor that helped the U.S. government create offensive tools. It was the only SaaS provider of cyber weapons to the U.S intelligence community. 

In 2021, when news of the Colonial Pipeline breach landed, the pair realized how urgently their knowledge of ransomware attackers was needed on the other side of the equation than they’d previously worked: defensive endpoints. As they put it, they would effectively “build the sword to the shield” they had created.

This desire evolved into the anti-ransomware agent that Halcyon is today, begun as a project within Boldend. Six months into it, there was such positive feedback that Jon and Ryan spun it off completely, and Jon and Ryan took the entirety of Boldend’s engineering team to the new company.

Jon describes the Halcyon’s culture as scrappy, experimental and high-performing, producing a tool that provides a service that’s unmatched. “We try hard to focus on features that other companies don’t have,” he said.

Jeff added that the team is united by a common mission to protect people, companies and countries from ransomware. This escalating threat is not only highly disruptive to business continuity, but also extremely expensive to recover from, as companies are paying ransom and even being extorted if data was exfiltrated. Halcyon is the only company that can detect, prevent and recover from the most sophisticated ransomware attacks.

How It Works: A multi-layered moat

Jon and Ryan built Halcyon by homing in on the strategies attackers were using most frequently, and building their architecture to thwart those specific TTPs, leveraging sophisticated artificial intelligence. 

“There are 100-200 ransomware groups out there at a given time. That’s enough to get your hands around — it’s not millions or billions,” Jon said. “You can actually focus on the attackers that are attacking.”

That focus led Halcyon to a layered approach where a would-be attacker attempting to breach a company’s infrastructure is progressively hamstrung by multiple features blocking their efforts at different points in the assault. 

Even in the unlikely event that an especially sophisticated cybercriminal manages to break in, Halcyon offers an autonomous isolation and recovery layer that prevents the ransomware from spreading across the company. Halcyon features a unique pre-execution defense system, informed by machine learning trained exclusively on ransomware, allowing it to identify and fend off ransomware before it can execute.

What makes Halcyon’s platform especially appealing for organizations of all kinds is that it is lightweight and conflict-free, meaning it runs alongside any existing endpoint detection and response (EDR), endpoint protection platform (EPP) or extended detection and response (XDR) without interfering or slowing things down. 

Jon said that customers are often most drawn to the recovery layer. “That’s what actually mitigates risk for a company,” he said. But Halcyon hasn’t had to recover a customer in the past year. “We’ve stopped every ransomware attack that has evaded all of the incumbents in the space, completely pre-execution.”

What’s Next: Even stronger protection

Jon says that Halcyon’s future plans are to stick to its tripartite credo: detect, protect and recover.  

It’ll do so by expanding its work in initial access and lateralization, proactively preventing ransomware attackers from ever getting clients in their sights. The team is also working on solutions for data exfiltration, stopping data from ever leaving a company’s system.

“For some people, that’s even more costly than the act of ransom,” Jeff said. “This could drive a whole new set of opportunities from a compliance standpoint.” 

Jon also points out that Halcyon’s success will diminish the attractiveness of ransomware for cybercriminals. “Too many organizations are simply adapting their XDR and endpoint protection platforms solutions and applying them to the ransomware fight, which is contributing to ransomware’s explosive growth,” he said. By bringing on Halcyon’s platform, an organization can instead add a highly sophisticated tool to its arsenal dedicated solely to ransomware, and it’s a decision we think is a wise one to make.